Re: Automating Auditing of Directory Service Objects

On Wed, 19 May 2010 06:42:49 -0700 (PDT), Neil
<> wrote:

>Hi. Is there a way to automate the deployment of Auditing settings to
>the OU's in AD? I only have a handful so it doesn't have to be TOO
>efficient. These have to be deployed automatically (via script,
>command line or whatever) if at all possible.
>
>Is this possible? If so, where can I start looking?
>
>Thanks!

If auditing of Directory Service Objects, that would be set on the
domain controllers, either individually or using a GPO and linked to
the Domain Controllers OU.

There are also purchasble third party auditing tools that are more
elaborate.

Have you tried using a GPO yet for this purpose? If so, have you had
any problems?

Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.

On Wed, 19 May 2010 23:55:30 -0700 (PDT), Neil
<> wrote:

><snip>
>>
>> If auditing of Directory Service Objects, that would be set on the
>> domain controllers, either individually or using a GPO and linked to
>> the Domain Controllers OU.
>>
>> There are also purchasble third party auditing tools that are more
>> elaborate.
>>
>> Have you tried using a GPO yet for this purpose? If so, have you had
>> any problems?
>>
>> Ace
>>
>> This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
>>
>> Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.
>>
>> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
>> Microsoft Certified Trainer
>> Microsoft MVP - Directory Services
>>
>> If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please checkhttp://support.microsoft.comfor regional support phone numbers.
>
>Thanks for the reply! I know you can enable the auditing via GPO and
>the 'Audit Directory Service Access' policy setting (to enabled). In
>addition to this, you then have to enable auditting on the objects you
>want (like setting it to audit any failure for 'UserX' on the OU 'Y'.
>
>So a better way to ask my question would be;
>
>"Is there any way to programmatically set SACLs on Directory Service
>objects?"
>
>Thanks!

That would be a question better suited for the programming forums
(such as VB and ADSI scripts).

A couple of the folks that respond in this newsgroup and forums are
familiar with this area. Sorry I can't better help you in this area.

Ace